Sony BMG issues recall order for XCP-endowed CDs

Los Angeles (CA) - Late yesterday, music publisher Sony BMG issued a statement saying it has launched a customer exchange initiative, which effectively recalls all of its CDs that include the XCP copy protection system.

"We share the concerns of consumers regarding discs with XCP content-protected software," the statement reads, "and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets. We deeply regret any inconvenience this may cause our customers."

No details were given regarding how retailers will be expected to manage the exchange program, but a further statement is expected from Sony BMG later today, and TG Daily will provide those details as soon as they are available.

The statement reiterates that the problems caused by XCP, which Sony BMG refers to as "the issues regarding these discs," only affects their use in personal computers, not audio CD players. Last week, the statement reminded, the company ceased manufacture of audio CDs containing First 4 Internet’s XCP protection scheme, and has made F4i’s patch available to the public, as well as to security software companies, which disables the stealth technology F4i uses to render it incapable of uninstallation through normal means.

Yesterday, as we reported here, security expert Dan Kamisky reported on his Web site that his own tests of the caches of DNS servers throughout the Internet have led him to estimate that over half a million such servers have processed requests for the XCP Web page. Kamisky believes this to be evidence that the XCP software is a rootkit - a malicious stealth communications package - as is the contention of a class-action lawsuit filed against Sony BMG last week in Los Angeles County District Court.

Sony BMG and First 4 Internet continue to maintain that their software is not a rootkit, which is a critical point in light of the damage that rootkits have been known to cause. By comparison, there are several known drivers which run "in the background" on many Windows’ users operating systems - for instance, "launch assist" programs for media players and universal document format programs, which also contact their home servers through DNS at periodic intervals. However, these programs have not been known to use stealth to hide their presence, and there is ample evidence that most do not monitor aspects of user behavior, such as which CDs a user places into her CD-ROM player.